The present invention relates generally to the field of return-oriented programming (ROP), and more particularly to detecting the presence of ROP at runtime.
Return-oriented programming (or ROP) is a computer security exploit technique that allows an ‘attacker’ (i.e., a computer hacker) to execute code in the presence of security defenses such as Data Execution Prevention (DEP). In an ROP attack, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences, called “gadgets”. Each gadget may end in a return instruction and is located in a subroutine within the existing program and/or shared library code. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks.